Today’s security and compliance environment is challenging, and no single vendor can solve the entire problem for you. CyberArk understands this, which is why we’ve created a powerful ecosystem of technology and channel partners that can provide you with a complete solution for your privileged account security and compliance requirements.

CyberArk’s award-winning software protects the high value assets of leading companies and government organizations around the world. We take that responsibility seriously. That’s why we only hire the best.

In essence, this flaw has more to do with how Active Directory is designed than it does with a bug. An attacker who obtains the NTLM hash from a client can then force authentication with it, bypassing the more-secure Kerberos system in favor of the (known to be weak) NTLM authn protocol. It’s a classic pass-the-hash attack, but one that is (a) enabled by default in AD, (b) not logged by the system, and (c) can be used even when Kerberos is selected for authentication, since Kerberos relies upon NTLM for encryption.

In doing so, there is an opportunity to break down and rebuild both the authn and authz model. Unlike Active Directory, this new model should comprise three elements:

Extensibility — unlike the network model that existed when AD was designed, the modern network is highly dynamic, with rapid system, service, and server provisioning and deprovisioning; by federating authn and centralizing authz, environmental change can be easily sustained without creating single failure points (as happened with AD in this case)

Auditability — relying on external logging exclusively can result in auth blind spots; wherever a user or service accesses a component under management from the authz system, permissions rules should broker that access and also log the incident in an immutable datastore.

Security — modern development practices and avoidance of legacy support requirements (such as the Kerberos/NTLM problem that arose in AD as a legacy of a Windows NT key system) helps to reduce the likelihood of built-in vulnerabilities

As organizations drive innovation and change in their own IT and development teams, they typically shift their architecture focus to the cloud. This creates an opportunity to set aside legacy technologies like Active Directory, which do not map to this new infrastructure stack, and in doing so create a more robust, secure, and cloud-native authz system.